Title: SYSTEM AND METHOD FOR DETECTING MALWARE, 
FN EXECUTABLE SCRIPTS ACCORDING TO ITS ; 
FUNCTIONALITY 

Inventors: CD. Sandu et al. 1 

Docket No.: MSFT122167 

j 

1/15 




Fig.lA. 



PRIOR 




Fig.lB. 

PRIOR 
ART 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



2/15 




Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



3/15 



( START \ 



NORMALIZE SCRIPT - 
FIRST NORMALIZATION 
(SEE FIGURE 4) 



I 



COMPARE FIRST SCRIPT 
SIGNATURE TO KNOWN 
MALWARE SIGNATURES 




REPORT THAT SCRIPT 
SIGANTURE MATCHES A 
KNOWN MALWARE SIGNATURE 




END 




SET PARTIAL 
MATCH FLAG 




FigJA. 



Title: SYSTEM AND METHOD FOR DETECTING MALW ARE , 
IN EXECUTABLE SCRIPTS ACCORDING TO ITS 
FUNCTIONALITY , 
Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



4/15 



GENERATE SECOND 
SCRIPT SIGNATURE 
(SEE FIGURE 9) 



J 



316 



COMPARE SECOND SCRIPT 
SIGNATURE TO KNOWN MALW ARE 
SIGNATURES 




r\ 3 } 8 

YES , 

i ih\'DLE I L~ \A \ Tt H? — ►{ 



NO 



\NO 



PARTIAL MATCH? 

NO 

'PARTIAL 
MATCH FLAG SET? 

YES 



r3° 



r3 2 



YES 



324 




REPORT THAT SCRIPT SIGNATURE 
PARTIALLY MATCHES A KNOWN 
MALWARE SIGNATURE 



I 



END 



I 



J 



REPORT THAT SCRIPT SIGNATURE 
DOESN'T MATCH ANY KNOWN 
MALWARE SIGNATURES 



FigJB. 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



5/15 



( START ^ 



CREATE FIRST 
SCRIPT SIGN A TURE 



SELECT FIRST ROUTINE 
IN THE SCRIPT 



r^ 6 



NORMALIZE ROUTINE, 
GENERA TE ROUTINE TOKEN SET 
(SEE FIGS. 5A-B) 



408 



ANY MORE ROUTINES? 



410 



SELECT NEXT ROUTINE 
IN THE SCRIPT 



412 



RETURN SCRIPT SIGN A TURE 

1 

( END ) 



Fig. 4. 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS i 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 J 

6/15 



( START ) 



CREA TE ROUTINE TOKEN SET 



I 



INITIALIZE VARIABLE AND 
SUBROUTINE COUNTERS 



I 



2f 



OBTAIN FIRST TOKEN 
FOR ROUTINE FROM SCRIPT 





EVALUATE THE TOKEN 
















<^STT AN IGNORE TOKEN^^ 


( B J 




J^TS 5 J 2 




Tyes 

1 r 






GET NEXT TOKEN FOR \ 




ROUTINE FROM SCRIPT 



r3 8 



NO 



< 



NO 



514 



516 



RETURN ROUTINE TOKEN SET 



( END > 



Fig.5A. 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



7/15 




GENERA TE NORMALIZED 
VARIABLE NAME 




r r 


INCREMENT 
VARIABLE COUNTER 




r 


WRITE NORMAL 
NAME TO ROUT 


IZED VARIABLE 
INE TOKEN SET 



© 



Fig.SB. 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 

8/15 




JOES. 



YES 




GENERA TE NORMALIZED 
SUBROUTINE NAME 



I 



INCREMENT 
VARIABLE COUNTER 



I 



WRITE SUBROUTINE VARIABLE 
NAME TO ROUTINE TOKEN SET 



0 



WRITE ROUTINE TOKEN TO 
ROUTINE TOKEN SET 



Fig. SC. 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE > 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



9/15 




Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



10/15 



E 

CD 
C 

9- 

o 

CO 



o 

CO 

5 



c 

a> 




c 

CD 

_c 

-♦— » 

o 

A 
V 



CO 3 



CO 

I: 

CD o 



O 
CO 



CD 
> 

CO 



o 

o 
II 



> 
CO 

> 

CD 
CO 
CD 

° CD 



CD 



A 
V 



> 

| 

CD 
CO 

s . 



co II 1Z oo ii 

c 



St>Q)t>Q)C 



Title: SYSTEM AND METHOD FOR DETECTING MALWARE 

IN EXECUTABLE SCRIPTS ACCORDING TO ITS 

FUNCTIONALITY 

Inventors: CD. Sandu et al. 

Docket No.: MSFT122167 



J 



11/15 



VO = left ( wscript . scriptfullname len ( wscript . 

scriptfullname ) - len ( wscript . scriptname ) ) 
V1 = array ( "loanwebservice" ) 
V2 = array ( VO ) 



set VO = getobject ( "iis://localhost/w3svc/1" ) 
if isobject ( VO ) = false then 
if not V1 then 

RO ( "unable to locate the site, iis must be installed." ) 
end if 



set V2 = VO . getobject ( "iiswebvirtualdir" "root" ) 
if ( V3 <> 0 ) then 
if not V1 then 

RO ( "unable to access root for " & VO . adspath ) 
end if 
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